Health Care Law Blog

Dumping Medical Records Results in $800,000 HIPAA Fine for Health Care System

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced that it reached a resolution agreement with a health care system in connection with alleged violations of the Health Insurance Portability and Protection Act of 1996 (HIPAA). Pursuant to the settlement, Parkview Health System, Inc. (Parkview) agreed to adopt a corrective action plan (CAP) to address deficiencies in its compliance program and to pay $800,000. 

As explained by OCR in a news release, Parkview, a covered entity under the HIPAA Privacy Rule, took custody of medical records of approximately 5,000 to 8,000 patients while assisting a retiring physician to transition patients to new providers, and while considering the purchase of some of the physician’s practice. Subsequently, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes full of medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home. The physician complained, prompting the HHS investigation.

The settlement resulted in a corrective action plan (CAP) to address alleged deficiencies in Parkview's HIPPA compliance. While the resolution agreement notes that the agreement is neither an admission of liability by Parkview nor a concession by HHS that Parkview did not violate HIPAA rules, under the CAP Parkview agreed to do the following:

• Create policies and procedures for administrative, physical and technical safeguards to protect the privacy of non-electronic protected health information (PHI) that are approved by HHS;
• Distribute the HHS approved policies and procedures to its workforce and update existing Parkview policies and procedures accordingly;
• Provide general safeguards training to all Parkview workforce members who have access to PHI;
• Provide written or electronic evidence of training materials for HHS’ review; and
• Submit a final report to HHS regarding Parkview compliance with the CAP.

This settlement is an important reminder to HIPAA covered entities and business associates regarding the proper disposal of PHI. It is imperative for hospitals to understand that the HIPAA Privacy and Security Rules apply to such records - paper and electronic - in the covered entity’s possession and the covered entity needs to treat such records in the same confidential manner as its own records. While the HIPAA Privacy and Security Rules do not require a specific method of disposal of PHI, OCR has issued helpful guidance. In addition to implementing reasonable safeguards to limit incidental access and avoid prohibited uses and disclosures of PHI and policies and procedures addressing the final disposition of electronic PHI, HIPAA also requires that covered entities ensure their workforce members receive training on issues such as proper disposal of PHI.

To avoid investigations, fines and other negative consequences, it is critical for covered entities to ensure their policies and procedures are in compliance with HIPAA's requirements. Please contact us if you have any questions at 517.371.8140 or nstratton@fosterswift.com.

Categories: Compliance, HIPAA, Providers